Let's say there are two users on the LAN, A and B. How do I restrict user A from internet access using iptables rules and saving the rules so that after reboot, they are still effective. And suppose I want to grant that user access at some point, How to enable it again. I am using Ubuntu Linux 10.04. It would be nice if anybody show me how to do it from the command line, as I often login to the machine using a local ssh login. thanks in advance.

2 Answers
2

I assume that users A and B are using the same Linux machine(s) where you are the administrator. (It's not completely clear from your question. If A and B are have their own computers which they are administrators on, it's a completely different problem.)

The following command will prevent the user with uid 1234 from sending packets on the interface eth0:

I recommend reading the Ubuntu iptables guide to get basic familiarity with the tool (and refer to the man page for advanced things like the mangle table).

The user will still be able to run ping (because it's setuid root), but not anything else. The user will still be able to connect to a local proxy if that proxy was started by another user.

To remove this rule, add -D to the command above.

To make the rule permanent, add it to /etc/network/if-up.d/my-user-restrictions (make that an executable script beginning with #!/bin/sh). Or use iptables-save (see the Ubuntu iptables guide for more information).

Thank you very much. And yes your assumptions are true. Based on your answer and the mentioned ubuntu guide, is that the right way of doing things if I wanted to also grant the restricted user ssh access (sometimes I want to login using his account over ssh): iptables -t mangle -A OUTPUT -o eth0 -m owner --uid-owner 1234 -p tcp --dport ssh -j ACCEPT iptables -t mangle -A OUTPUT -o eth0 -m owner --uid-owner 1234 -j DROP I put those rules as is in the mentioned file and things seem to work fine.
–
MarwanSep 28 '11 at 22:31

@Marwan I think that's right. Note that if you allow ssh access, you allow pretty much anything since ssh can trivially tunnels other protocols.
–
GillesSep 28 '11 at 22:37